recaptime.dev
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
1@title Drydock User Guide: Security
2@group userguide
3
4Understanding security concerns in Drydock.
5
6Overview
7========
8
9Different applications use Drydock for different things, and some of the things
10they do with Drydock require different levels of trust and access. It is
11important to configure Drydock properly so that less trusted code can't do
12anything you aren't comfortable with.
13
14For example, running unit tests on Drydock normally involves running relatively
15untrusted code (it often has a single author and has not yet been reviewed)
16that needs very few capabilities (generally, it only needs to be able to report
17results back to Phorge). In contrast, automating merge requests on Drydock
18involves running trusted code that needs more access (it must be able to write
19to repositories).
20
21Drydock allows resources to be shared and reused, so it's possible to configure
22Drydock in a way that gives untrusted code a lot of access by accident.
23
24One way Drydock makes allocations faster is by sharing, reusing, and recycling
25resources. When an application asks Drydock for a working copy, it will try to
26satisfy the request by cleaning up a suitable existing working copy if it can,
27instead of building a new one. This is faster, but it means that tasks have
28some ability to interact or interfere with each other.
29
30Similarly, Drydock may allocate multiple leases on the same host at the same
31time, running as the same user. This is generally simpler to configure and less
32wasteful than fully isolating leases, but means that they can interact.
33
34Depending on your organization, environment and use cases, you might not want
35this, and it may be important that different use cases are unable to interfere
36with each other. For example, you might want to prevent unit tests from writing
37to repositories.
38
39**Drydock does not guarantee that resources are isolated by default**. When
40resources are more isolated, they are usually also harder to configure and
41slower to allocate. Because most installs will want to find a balance between
42isolation and complexity/performance, Drydock does not make assumptions about
43either isolation or performance having absolute priority.
44
45You'll usually want to isolate things just enough that nothing bad can happen.
46Fortunately, this is straightforward. This document describes how to make sure
47you have enough isolation so that nothing you're uncomfortable with can occur.
48
49
50Choosing an Isolation Policy
51============================
52
53This section provides some reasonable examples of ways you might approach
54configuring Drydock.
55
56| Isolation | Suitable For | Description
57|-----------|-----|-------
58| Zero | Development | Everything on one host.
59| Low | Small Installs | Use a dedicated Drydock host.
60| High | Most Installs | **Recommended**. Use low-trust and high-trust pools.
61| Custom | Special Requirements | Use multiple pools.
62| Absolute | Special Requirements | Completely isolate all resources.
63
64**Zero Isolation**: Run Drydock operations on the same host that Phorge
65runs on. This is only suitable for developing or testing Phorge. Any
66Drydock operation can potentially compromise Phorge. It is intentionally
67difficult to configure Drydock to operate in this mode. Running Drydock
68operations on the Phorge host is strongly discouraged.
69
70**Low Isolation**: Designate a separate Drydock host and run Drydock
71operations on it. This is suitable for small installs and provides a reasonable
72level of isolation. However, it will allow unit tests (which often run
73lower-trust code) to interfere with repository automation operations.
74
75**High Isolation**: Designate two Drydock host pools and run low-trust
76operations (like builds) on one pool and high-trust operations (like repository
77automation) on a separate pool. This provides a good balance between isolation
78and performance, although tests can still potentially interfere with the
79execution of unrelated tests.
80
81**Custom Isolation**: You can continue adding pools to refine the resource
82isolation model. For example, you may have higher-trust and lower-trust
83repositories or do builds on a mid-trust tier which runs only reviewed code.
84
85**Absolute Isolation**: Configure blueprints to completely initialize and
86destroy hosts or containers on every request, and limit all resources to one
87simultaneous lease. This will completely isolate every operation, but come at
88a high performance and complexity cost.
89
90NOTE: It is not currently possible to configure Drydock in an absolute
91isolation mode.
92
93It is usually reasonable to choose one of these approaches as a starting point
94and then adjust it to fit your requirements. You can also evolve your use of
95Drydock over time as your needs change.
96
97
98Threat Scenarios
99================
100
101This section will help you understand the threats to a Drydock environment.
102Not all threats will be concerning to all installs, and you can choose an
103approach which defuses only the threats you care about.
104
105Attackers have three primary targets:
106
107 - capturing hosts;
108 - compromising Phorge; and
109 - compromising the integrity of other Drydock processes.
110
111**Attacks against hosts** are the least sophisticated. In this scenario, an
112attacker wants to run a program like a Bitcoin miner or botnet client on
113hardware that they aren't paying for or which can't be traced to them. They
114write a "unit test" or which launches this software, then send a revision
115containing this "unit test" for review. If Phorge is configured to
116automatically run tests on new revisions, it may execute automatically and give
117the attacker access to computing resources they did not previously control and
118which can not easily be traced back to them.
119
120This is usually only a meaningful threat for open source installs, because
121there is a high probability of eventual detection and the value of these
122resources is small, so employees will generally not have an incentive to
123attempt this sort of attack. The easiest way to prevent this attack is to
124prevent untrusted, anonymous contributors from running tests. For example,
125create a "Trusted Contributors" project and only run tests if a revision author
126is a member of the project.
127
128**Attacks against Phorge** are more sophisticated. In this scenario, an
129attacker tries to compromise Phorge itself (for example, to make themselves
130an administrator or gain access to an administrator account).
131
132This is made possible if Drydock is running on the same host as Phorge or
133runs on a privileged subnet with access to resources like Phorge database
134hosts. Most installs should be concerned about this attack.
135
136The best way to defuse this attack is to run Drydock processes on a separate
137host which is not on a privileged subnet. For example, use a
138`build.mycompany.com` host or pool for Drydock processes, separate from your
139`phorge.mycompany.com` host or pool.
140
141Even if the host is not privileged, many Drydock processes have some level of
142privilege (enabling them to clone repositories, or report test results back to
143Phorge). Be aware that tests can hijack credentials they are run with,
144and potentially hijack credentials given to other processes on the same hosts.
145You should use credentials with a minimum set of privileges and assume all
146processes on a host have the highest level of access that any process on the
147host has.
148
149**Attacks against Drydock** are the most sophisticated. In this scenario, an
150attacker uses one Drydock process to compromise a different process: for
151example, a unit test which tampers with a merge or injects code into a build.
152This might allow an attacker to make changes to a repository or binary without
153going through review or triggering other rules which would normally detect the
154change.
155
156These attackers could also make failing tests appear to pass, or break tests or
157builds, but these attacks are generally less interesting than tampering with
158a repository or binary.
159
160This is a complex attack which you may not have to worry about unless you have
161a high degree of process and control in your change pipeline. If users can push
162changes directly to repositories, this often represents a faster and easier way
163to achieve the same tampering.
164
165The best way to defuse this attack is to prevent high-trust (repository
166automation) processes from running on the same hosts as low-trust (unit test)
167processes. For example, use an `automation.mycompany.com` host or pool for
168repository automation, and a `build.mycompany.com` host or pool for tests.
169
170
171Applying an Isolation Policy
172============================
173
174Designing a security and isolation policy for Drydock can take some thought,
175but applying it is straightforward. Applications which want to use Drydock must
176explicitly list which blueprints they are allowed to use, and they must be
177approved to use them in Drydock. By default, nothing can do anything, which is
178very safe and secure.
179
180To get builds or automation running on a host, specify the host blueprint as a
181usable blueprint in the build step or repository configuration. This creates a
182new authorization request in Drydock which must be approved before things can
183move forward.
184
185Until the authorization is approved, the process can not use the blueprint to
186create any resources, nor can it use resources previously created by the
187blueprint.
188
189You can review and approve requests from the blueprint detail view in Drydock:
190find the request and click {nav Approve Authorization}. You can also revoke
191approval at any time from this screen which will prevent the object from
192continuing to use the blueprint (but note that this does not release any
193existing leases).
194
195Once the authorization request is approved, the build or automation process
196should be able to run if everything else is configured properly.
197
198Note that authorizations are transitive: if a build step is authorized to use
199blueprint A, and blueprint A is authorized to use blueprint B, the build step
200may indirectly operate on resources created by blueprint B. This should
201normally be consistent with expectations.
202
203
204Next Steps
205==========
206
207Continue by:
208
209 - returning to the @{article:Drydock User Guide}.